What Is Two-Factor Authentication (2FA)? How 2FA Keeps Your Accounts Safe

What Is Two Factor Authentication

Just yesterday, an old Microsoft account of mine was hacked by someone in Latvia. I received a security alert from Microsoft on my alternate email account and almost immediately began the process of recovering my account and fortifying its security.

I changed the password, removed an outdated phone number, and logged out of all current devices, ensuring the hacker couldn’t access the account anymore. After logging back in, I set up two-factor authentication.

Two-factor authentication (2FA) is a double layer of security that ensures only an authorized person can access your account. The second factor is typically a temporary code sent to your registered phone number, a fingerprint, or a face scan.

If someone manages to steal your password (like they did mine), they won’t be able to unlock the “door” to your account without the second “key.”

You can think of 2FA as having two bouncers at the front door of a nightclub, rather than just one! Good luck messing with them. Anyway, after I set up 2FA for my account, I went through my mailbox in detail to check whether the hacker had sent anything inappropriate to anyone or managed to obtain any information that could cause me nightmares.

Luckily, I stepped in at the right time and averted all danger. I logged out and slept like a baby — you can too, with 2FA.

Why Does Two-Factor Authentication (2FA) Matter?

Passwords aren’t enough. To put it into perspective, “123456,” “password,” and “123456789” are some of the most common passwords in the world. At least be creative, people!

I mean, sure, if you set and memorize a password like “gf$323la@%6^^,” the likelihood of someone hacking your account is pretty low, but the reality is even that’s not enough sometimes.

One small mistake could expose your account and threaten you with dire consequences.

Two-factor authentication (2FA) provides another layer of security to prevent hackers from accessing your online accounts if they guess your password.

2FA is an additional layer of security beyond passwords, and trust me, you need it. Here’s why it matters:

  • Cybercriminals never take a day off. Whether it’s phishing scams, data breaches, or malware, you need a second line of defense in the form of 2FA to make it harder for them to access your account.
  • It’s not just your mailbox at risk. Can you imagine the pickle you’ll be in if they access your bank or social media accounts? Without 2FA, you might as well place a welcome mat for hackers!
  • If you want to sleep easy at night, 2FA is a must. It’s like the virtual version of a buff security guard!

Setting up 2FA is as easy as making a cup of tea — you don’t need to be Steve Jobs. Remember, it’s better to be safe than sorry.

How Does Two-Factor Authentication Work?

By now, you’re probably itching to set up two-factor authentication on all your accounts — and honestly, you should be.

But how does it actually work? Well, I’m going to break it down for you so you can stop wondering and start securing — cybercrime is the bread and butter of hackers, and the night is young. I don’t want you to fall prey to their devious ways, so read on.

The Concept of Two Factors

2FA is based on “something you know,” “something you have,” and “something you are.” Let me break this down for you in simple terms:

  • Something you know: Your password.
  • Something you have: Usually a phone or authenticator application, such as Google Authenticator, that generates a temporary code.
  • Something you are: This is all about biometrics, such as your fingerprint or face scan.

The idea is that it’s much harder for cybercriminals to get their hands on all three of these “somethings.” This makes 2FA a pretty solid defense mechanism, in my opinion.

Note: Having all three of these things is referred to as multi-factor authentication (MFA), as three factors are involved. But, you can describe a combination of two of these tings as 2FA.

Common 2FA Methods

You can use 2FA to safeguard just about any app, especially those that handle sensitive or personal data. It’s like your personal digital security system.

Common 2FA methods include SMS or email codes, authentication apps (such as Authy), biometric authentication (such as fingerprints or facial recognition), and hardware tokens.

Now, if we’re strictly talking in terms of two factors, here are some of the common 2FA methods you could use to add an extra layer of security to your account:

  • SMS or Email Codes: Once you register your phone number or an alternate email account, you can set them up to receive temporary access codes.
  • Authentication Apps: You can link your account with apps like Google Authenticator or Authy to generate time-based access codes.
  • Biometric Authentication: Fingerprints, facial recognition, and voice identification are common biometric authentication methods.
  • Hardware Tokens: You can plug in a hardware device like YubiKeys for physical authentication through a unique, time-sensitive code or public-key cryptography.

Pick your poison — I prefer authentication apps. Ultimately, it’s all about making sure you’re the only one who can get in!

The Step-By-Step Process of 2FA

The typical 2FA login experience is streamlined.

Here’s a step-by-step outline of the process:

  1. Enter your username and password.
  2. The system will then prompt for the second factor.
  3. You may have to enter your phone number, for instance (for verification purposes), and type in the code you receive on that number.
  4. If all things check out, you’re in.

The second step ensures that even if someone has your password, they can’t access your account without the second “key.” How cool is that?

Benefits of Two-Factor Authentication

All 2FA methods (except for hardware tokens) are available for free, so I see no reason why you’d shy away from using it to doubly secure all your accounts.

Even if you think you have impenetrable passwords, would you say no if someone offered a free physical security system for your house? Of course not! Then why treat your digital life any differently?

Enhanced Account Security

Password breaches through phishing attacks are as common as rain during the monsoon season. You have to be on your toes at all times.

My biggest mistake with the Microsoft account was not securing it with 2FA. To be fair, the account is as old as my grandmother, and I didn’t know about 2FA back then. Learn from my mistakes and do what’s right.

Speaking of phishing attacks, a hacker may pose as a legitimate party and send you a fraudulent email or text message, hoping you’ll fall for the trap and reveal your personal information. Always double-check the source.

For instance, when I received an email from the Microsoft security team, I verified the legitimacy of the sender — it checked out. Don’t panic and do something silly.

Deterrence Against Cybercriminals

Even if someone manages to crack open the first layer of security to your account (let’s just say you fell victim to a sophisticated phishing attack), 2FA adds a level of complexity that makes it harder for the attacker to gain access.

While cybercriminals can still infiltrate your account if the stars are aligned in their favor, they’ll have a much tougher time — I’ll talk about this soon, don’t sweat it.

Peace of Mind

One of my golden rules is putting my phone on silent when I’m hitting the sack.

While I love my friends dearly, long gone are the days when I want to be awoken by the 3 AM relationship dilemma!

Without 2FA, I truly believe you can’t sleep peacefully. I mean, how can you sleep knowing your account could be compromised overnight? My Microsoft account wasn’t subject to a phishing attack, but a “poorly” set password!

2FA provides assurance that your sensitive data has an extra layer of protection. Get that beauty sleep — you deserve it.

Versatility

In football (you might call the beautiful sport soccer), a versatile player is as valuable to a team as gold is to a banker. For example, Fede Valverde, Real Madrid’s talisman in my opinion, can play in midfield, attack, and defense.

This makes him an invaluable asset, as injuries are commonplace in today’s game — they literally play every three days! 2FA is just as versatile as Valverde, as it’s applicable to banking, social media, email, and enterprise systems.

Challenges and Limitations of 2FA

I won’t go as far as to say 2FA doesn’t pose any limitations or challenges. While it significantly improves account security, it does have some drawbacks.

The good news is, if you have a smartphone, a stable internet connection, and a little bit of patience, you should be able to swat these inconveniences like a pesky fly.

Convenience vs. Security

This is where your patience is tested. If you can’t spare a few seconds or at most just over a minute to log into your account through two factors, you probably deserve a security scare or two. I know, I’m being mean.

But my friend, the additional steps 2FA involves are worth the effort. It’s like weighing convenience vs. security. Sure, you could board an airplane quicker without a security check, but it’s much safer with security. Be smart.

SMS Vulnerabilities

Do you know why it’s called a phishing attack? Because your attacker is literally “fishing” for your password and hoping you fall for the “bait” they throw at you.

For example, an attacker may send you a fake login page (the bait) and hope you provide your login credentials. If you’ve enabled 2FA, they may then trick you into revealing your 2FA code, especially if it’s sent via SMS or email.

Alternatively, before password phishing, they may convince your mobile provider to transfer your phone number to a new SIM and intercept SMS-based 2FA codes. This is called SIM swapping. Be diligent!

Accessibility Issues

If you don’t have a smartphone or a stable internet connection, you could face accessibility issues. The real problem here is a poor internet connection, as just about everyone has a smartphone these days — there are nearly five billion smartphone users worldwide. And let’s face it, if you don’t use a smartphone, you probably don’t need 2FA in the first place.

Getting back to your internet connectivity, 2FA codes delivered through authenticator apps, in particular, are time-bound (generally capped at 30 seconds). Poor internet connectivity could lock you out of your account for a significant period!

Backup Concerns

If you’ve lost your phone, you should contact your mobile carrier to temporarily block your SIM card (to avoid SMS-based 2FA interception). If you use an authenticator app, like Google Authenticator, you can easily regain access to your account on another device through recovery options (such as a backup email or phone number).

I’m talking about your account, not your authenticator app — you can recover access to the authenticator app through backup codes or recovery keys (note them down and keep them safe). Simply put, you shouldn’t lose access to your accounts if you think on your feet.

Implementing 2FA: A Quick Guide

I use three 2FA methods to protect my accounts: an authenticator app (Microsoft Authenticator), email, and SMS. I always learn something new when I’m researching a topic, and I’ve realized email and SMS aren’t as strong 2FA options as an authenticator app (the idea of SIM swapping frightens me).

So, the first thing I’m going to do this weekend is ramp up my account security by using a combination of Microsoft Authenticator and Google Authenticator for 2FA.

Step 1: Enable 2FA

I bet you have a Gmail account, so let’s start there.

To enable 2FA on Gmail hop into your Gmail settings by clicking on the Manage your Google Account option on your smartphone. Then, navigate to the Security section and click on the 2-Step Verification option.

You’ll see that it’s currently off. Enter your password to verify that it’s truly you who wants to correct this wrong, and voilà, you’re ready to choose a 2FA method!

Step 2: Choose a Method

You can choose to shield your Gmail account with an authenticator app, SMS text message, or Google Prompt.

In this particular case, you can’t go wrong with an authenticator app or Google Prompt — Google will send a push notification to your phone when you try to log in and all you have to do is approve the request with a swift tap. Simple. You already know why I don’t like the idea of using SMS for 2FA.

Once you’ve chosen your method, you have to perform a few quick and easy steps to configure things (just follow the prompts on your screen), and boom — your Gmail account is twice as secure!

Step 3: Backup Codes and Recovery Plans

When you set up 2FA for a Google account, or any other account, really, the service may offer a one-time backup code in case you lose access to your authenticator app, for example. So, note this code down somewhere and keep it safe. Like, really safe.

Also, don’t forget to set up a backup email address or phone number in case you lose access to your 2FA method. You can use these recovery methods to regain access to your account.

Best Practices for Using 2FA

I’m not a master chef (MasterChef Australia is a fantastic show) but I can prepare a decent meal on date nights.

I’ve picked up several masterful tips from my mother over the years, who’s an amazing cook (surprise, surprise), chief of which is how to prepare the perfect spice blend for curry (I love chicken curry with tandoori naan).

While it’s easy to implement 2FA, a slight mistake could lead to a “substandard dish.” And in this case, you can’t just order takeout.

Keep Backup Codes Safe

If you lose your smartphone, it’s not the end of the world. In the 2014 FIFA World Cup Final, German supersub Mario Götze came off the bench to score the winner against Argentina.

A football team isn’t about the 11 players that start the game — the substitutes play a key role when the opposition’s legs are tiring. You can think of backup and recovery options as substitutes in your game against cybercrime.

If you don’t keep your backup codes safe, and you lose a “player” to injury, the opposition will have an upper hand. And you might end up paying dearly.

Use Authentication Apps Over SMS

You’re a smart person, so I don’t have to remind you of the risks of using an SMS as a 2FA method. Just use an authentication app. You’ll thank me after you avoid a nasty SIM Swapping attack

Avoid Public Wi-Fi When Accessing Sensitive Accounts

Let’s say you’re sipping coffee at your favorite coffee shop, and you receive a message from your bank. Out of curiosity, you open it, and are overjoyed — you’ve just received a bonus!

Now, while I’d be tempted to open my banking app and check my balance, I wouldn’t. Why? You’re probably connected to public WiFi, which is a hacker’s playground.

So while the message from your bank was legitimate, your joy might turn to glum if a cybercriminal intercepts your data. Stick to trusted, secure WiFi connections and your mobile data when accessing sensitive accounts.

Regularly Update Devices and Apps

I’m an iOS user and whenever Apple releases a new software update, it lists the improvements of the new version. Security patches are often on the agenda.

You see, the battle between good and evil is constant. So, while the good side of tech is advancing, the bad side isn’t running on one leg — it’s learning new tricks.

If I don’t update my software, I might be left vulnerable to one of these tricks. Regularly update your devices and apps.

Taking Your Online Security Twice as Seriously With 2FA

Have you heard of data broker websites? Acxiom and Equifax are some of the big fish in the sea. They scour the internet for your personal information, such as your name, date of birth, contact information, and job title, and sell it to interested parties.

The worst thing is, this is completely legal. Yes, you heard me — data brokerage is legal. So, if the password to your Gmail account is a combination of your name and date of birth, hackers will figure it out.

And this is just the legal side of things. It’s not beyond cybercriminals to breach an online system and steal user account databases — it eliminates the guesswork and saves time. 2FA is not a want — it’s a need.

Avoid using your phone number as a 2FA method unless it’s absolutely necessary (use a 2FA app instead), and remember to store your backup codes securely in an offline location (like a bank vault).

It’s time 2 Fortify Access with 2FA. You see what I did there?